DESCRIPTION audisp-remote.conf is the file that controls
the configuration of the audit remote logging subsystem. The
options that are available are as follows:

remote_server This is a one word character string that
is the remote server hostname or address that this plugin
will send log information to. This can be the numeric
address or a resolvable hostname.

port This option is an unsigned integer that indicates
what port to connect to on the remote machine.

local_port This option is an unsigned integer that
indicates what local port to connect from on the local
machine. If unspecified (the default) or set to the word any
then any available unpriviledged port is used. This is a
security mechanism to prevent untrusted user space apps from
injecting events into the audit daemon. You should set it to
an unused port < 1024 to ensure that only priv- ileged
users can bind to that port. Then also set the
tcp_client_ports in the aggregating auditd.conf file to
match the ports that clients are sending from.

transport This parameter tells the remote logging app
how to send events to the remote system. The only valid
value right now is tcp. If set to tcp, the remote logging
app will just make a normal clear text connection to the
remote system. This is not used if ker- beros is
enabled.

mode This parameter tells the remote logging app what
strategy to use getting records to the remote system. Valid
values are immedi- ate, and forward . If set to immediate,
the remote logging app will attempt to send events
immediately after getting them. forward means that it will
store the events to disk and then attempt to send the
records. If the connection cannot be made, it will queue
records until it can connect to the remote system. The depth
of the queue is controlled by the queue_depth option.

queue_file Path of a file used for the event queue if
mode is set to for- ward. The default is
/var/spool/audit/remote.log.

queue_depth This option is an unsigned integer that
determines how many records can be buffered to disk or in
memory before considering it to be a failure sending. This
parameter affects the forward mode of the mode option and
internal queueing for temporary net- work outtages. The
default depth is 2048.

format This parameter tells the remote logging app what
data format will be used for the messages sent over the
network. The default is managed which adds some overhead to
ensure each mes- sage is properly handled on the remote end,
and to receive sta- tus messages from the remote server. If
ascii is given instead, each message is a simple ASCII text
line with no overhead at all. If mode is set to forward,
format must be managed.

network_retry_time The time, in seconds, between retries
when a network error is detected. Note that this pause
applies starting after the sec- ond attempt, so as to avoid
unneeded delays if a reconnect is sufficient to fix the
problem. The default is 1 second.

max_tries_per_record The maximum number of times an
attempt is made to deliver each message. The minimum value
is one, as even a completely suc- cessful delivery requires
at least one try. If too many attempts are made, the
network_failure_action action is per- formed. The default is
3.

max_time_per_record The maximum amount of time, in
seconds, spent attempting to deliver each message. Note that
both this and max_tries_per_record should be set, as each
try may take a long time to time out. The default value is 5
seconds. If too much time is used on a message, the
network_failure_action action is performed.

heartbeat_timeout This parameter determines how often in
seconds the client should send a heartbeat event to the
remote server. This is used to let both the client and
server know that each end is alive and has not terminated in
a way that it did not shutdown the connection uncleanly.
This value must be coordinated with the servers
tcp_client_max_idle setting. The default value is 0 which
dis- ables sending a heartbeat.

network_failure_action This parameter tells the system
what action to take whenever there is an error detected when
sending audit events to the remote system. Valid values are
ignore, syslog, exec, suspend, single, halt, and stop. If
set to ignore, the remote logging app does nothing. Syslog
means that it will issue a warning to syslog. This is the
default. exec /path-to-script will execute the script. You
cannot pass parameters to the script. Suspend will cause the
remote logging app to stop sending records to the remote
system. The logging app will still be alive. The single
option will cause the remote logging app to put the computer
system in single user mode. The stop option will cause the
remote logging app to exit, but leave other plugins running.
The halt option will cause the remote logging app to
shutdown the computer system.

disk_low_action Likewise, this parameter tells the
system what action to take if the remote end signals a disk
low error. The default is to ignore it.

disk_full_action Likewise, this parameter tells the
system what action to take if the remote end signals a disk
full error. The default is to ignore it.

disk_error_action Likewise, this parameter tells the
system what action to take if the remote end signals a disk
error. The default is to log it to syslog.

remote_ending_action Likewise, this parameter tells the
system what action to take if the remote end signals a disk
error. This action has one addi- tional option, reconnect
which tells the remote plugin to attempt to reconnect to the
server upon receipt of the next audit record. If it is
unsuccessful, the audit record could be lost. The default is
to reconnect.

generic_error_action Likewise, this parameter tells the
system what action to take if the remote end signals an
error we dont recognize. The default is to log it to
syslog.

generic_warning_action Likewise, this parameter tells
the system what action to take if the remote end signals a
warning we dont recognize. The default is to log it to
syslog.

queue_error_action Likewise, this parameter tells the
system what action to take if there is a problem working
with a local record queue. The default is to exit.

overflow_action This parameter tells the system what
action to take if the internal event queue overflows. Valid
values are ignore, syslog, suspend, single, and halt . If
set to ignore, the remote log- ging app does nothing. Syslog
means that it will issue a warn- ing to syslog. This is the
default. Suspend will cause the remote logging app to stop
sending records to the remote system. The logging app will
still be alive. The single option will cause the remote
logging app to put the computer system in sin- gle user
mode. The halt option will cause the remote logging app to
shutdown the computer system.

enable_krb5 If set to "yes", Kerberos 5 will
be used for authentication and encryption. Default is
"no". Note that encryption can only be used with
managed connections, not plain ASCII.

krb5_principal If specified, This is the expected
principal for the server. The client and server will use the
specified principal to nego- tiate the encryption. The
format for the krb5_principal is like somename/hostname, see
the auditd.conf man page for details. If not specified, the
krb5_client_name and remote_server values are used.

krb5_client_name This specifies the name portion of the
client s own principal. If unspecified, the default is
"auditd". The remainder of the principal will
consist of the hosts fully qualified domain name and the
default Kerberos realm, like this: auditd/host14.exam-
ple.com@EXAMPLE.COM (assuming you gave "auditd" as
the krb_client_name). Note that the client and server must
have the same principal name and realm.

krb5_key_file Location of the key for this client s
principal. Note that the key file must be owned by root and
mode 0400. The default is /etc/audisp/audisp-remote.key

NOTES Specifying a local port may make it difficult to
restart the audit sub- system due to the previous connection
being in a TIME_WAIT state, if youre reconnecting to and
from the same hosts and ports as before.

The network failure logic works as follows: The first
attempt to deliver normally "just works". If it
doesnt, a second attempt is immediately made, perhaps after
reconnecting to the server. If the second attempt also
fails, audispd-remote pauses for the configured time and
tries again. It continues to pause and retry until either
too many attempts have been made or the allowed time
expires. Note that these times govern the maximum amount of
time the remote server is allowed in order to reboot, if you
want to maintain logging across a reboot.